CN1156801C - Method for protection of safety module and configuration for carrying out said method - Google Patents

Method for protection of safety module and configuration for carrying out said method Download PDF

Info

Publication number
CN1156801C
CN1156801C CNB001038745A CN00103874A CN1156801C CN 1156801 C CN1156801 C CN 1156801C CN B001038745 A CNB001038745 A CN B001038745A CN 00103874 A CN00103874 A CN 00103874A CN 1156801 C CN1156801 C CN 1156801C
Authority
CN
China
Prior art keywords
security module
voltage
processor
unit
detecting unit
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Lifetime
Application number
CNB001038745A
Other languages
Chinese (zh)
Other versions
CN1276579A (en
Inventor
�˵á�������˹
彼得·波斯特
德克·罗西瑙
托斯坦·施拉夫
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Flangkoteip-Postliya & Co GmbH
Original Assignee
Flangkoteip-Postliya & Co GmbH
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Flangkoteip-Postliya & Co GmbH filed Critical Flangkoteip-Postliya & Co GmbH
Publication of CN1276579A publication Critical patent/CN1276579A/en
Application granted granted Critical
Publication of CN1156801C publication Critical patent/CN1156801C/en
Anticipated expiration legal-status Critical
Expired - Lifetime legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07BTICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
    • G07B17/00Franking apparatus
    • G07B17/00733Cryptography or similar special procedures in a franking system
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07BTICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
    • G07B17/00Franking apparatus
    • G07B17/00185Details internally of apparatus in a franking system, e.g. franking machine at customer or apparatus at post office
    • G07B17/00193Constructional details of apparatus in a franking system
    • G07B2017/00233Housing, e.g. lock or hardened casing
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07BTICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
    • G07B17/00Franking apparatus
    • G07B17/00185Details internally of apparatus in a franking system, e.g. franking machine at customer or apparatus at post office
    • G07B17/00193Constructional details of apparatus in a franking system
    • G07B2017/00266Man-machine interface on the apparatus
    • G07B2017/00298Visual, e.g. screens and their layouts
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07BTICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
    • G07B17/00Franking apparatus
    • G07B17/00185Details internally of apparatus in a franking system, e.g. franking machine at customer or apparatus at post office
    • G07B17/00193Constructional details of apparatus in a franking system
    • G07B2017/00266Man-machine interface on the apparatus
    • G07B2017/00306Acoustic, e.g. voice control or speech prompting
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07BTICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
    • G07B17/00Franking apparatus
    • G07B17/00185Details internally of apparatus in a franking system, e.g. franking machine at customer or apparatus at post office
    • G07B17/00314Communication within apparatus, personal computer [PC] system, or server, e.g. between printhead and central unit in a franking machine
    • G07B2017/00346Power handling, e.g. power-down routine
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07BTICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
    • G07B17/00Franking apparatus
    • G07B17/00185Details internally of apparatus in a franking system, e.g. franking machine at customer or apparatus at post office
    • G07B17/00362Calculation or computing within apparatus, e.g. calculation of postage value
    • G07B2017/00395Memory organization
    • G07B2017/00403Memory zones protected from unauthorized reading or writing
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07BTICKET-ISSUING APPARATUS; FARE-REGISTERING APPARATUS; FRANKING APPARATUS
    • G07B17/00Franking apparatus
    • G07B17/00733Cryptography or similar special procedures in a franking system
    • G07B2017/00959Cryptographic modules, e.g. a PC encryption board
    • G07B2017/00967PSD [Postal Security Device] as defined by the USPS [US Postal Service]

Abstract

A method for protecting a security module includes the steps of monitoring proper insertion of the module on a device motherboard with first, second and third function units, erasing sensitive data due to an improper use or a replacement of the module with the second function unit, inhibiting the functionality of the module with the third function unit during a replacement of the security module, re-initializing the previously erased, sensitive data following proper use or replacement of the security module, and re-commissioning by enabling the function units of the security module.

Description

The method and the security module of protection security module
Technical field
The present invention relates to protect a kind of method of security module, and a kind of security module.The computing machine that this postal security module is particularly useful for the machine of postmarking and postal processor or has postal processing capacity.
Background technology
Use a digital printing equipment such as the US 4746234 disclosed thermal conversions machine that postmarks of such modern times of machine that postmarks.Thereby can print arbitrarily literal and special symbol in principle in the indicia prints district and arbitrarily or the ad content relevant with paying place.The machine T1000 that for example postmarks has a microprocessor that is packaged in security personnel's shell, has a fluting to be used for sending into mail on the shell.The mail sensor (microswitch) of a machinery provides a print request signal to microprocessor when mail is admitted to.The indicia prints content comprises and is used for the prior input that mail transmits and the postinfo of storage.The control module of machine of postmarking is finished clearing according to software, in case of necessity the real-time of data monitored, and the loading of control postage receipt and payment difference.
US 5606508 (DE 4213278B1) and US 5490077 have advised by means of chip card the above-mentioned thermal conversion machine that postmarks being realized the possibility of data input.A chip clamps new data in the machine of postmarking, and one group of other chip card can be by inserting the corresponding data that a chip card is changed to have imported.Like this can be than importing more convenient with keyboard and promptly realizing Data Loading and change.The franking machine of postmarking that is used for mail is equipped with a printer that is used for the print postage marking on mail, the control device of a control printer and the machine peripheral hardware that postmarks, a clearing unit that is used to settle accounts postage, at least one is used for storing the nonvolatile memory of postage data, and at least one is used for nonvolatile memory and a calendar/clock of the relevant data of storage security.The memory of data that storage security is relevant and/or calendar/clock are battery-powered usually.Security-related data (key etc.) are stored in the nonvolatile memory in the existing machine that postmarks.These storeies are EEPROM, the SRAM that FRAM or battery guarantee.The existing machine that postmarks usually also provides an inner real-time clock (Real Time Clock) RTC, and it is battery-powered.For example have the module of perfusion now, they include integrated circuit and lithium battery.This module must entirely be replaced and remove power supply at battery life to after date.See that from science and economic viewpoint only need to change battery just more effective.Yet this just must open security personnel's shell, and and then seal it because the security that opposing attacks mainly depends on security personnel's shell, it has sealed whole device.EP660269A2 (US 5671146) has proposed the security that a kind of suitable method improves the machine of postmarking, and the mandate of the shell of wherein ensuring public security is different with unauthorized unlatching.
The machine that postmarks needs to repair sometimes, if near element be difficulty or be restricted, repairing is difficult.In the future security personnel's shell will be compressed into so-called postal security module in large-scale postal processor or so-called PC postmark machine, and this will improve the accessibility of other elements.For the battery of changing security module economically also wishes to change battery on simple relatively approach.Battery must be outside security personnel's scope of the machine of postmarking for this reason.If but cell connection terminal also can be approaching from the outside, then possible attack can take place, and promptly controls the voltage of battery.Present battery powered SRAM has different requirements with RTC to its operating voltage.Keep the required voltage of data of SRAM to be lower than RTC work required voltage.This means that voltage drops under certain threshold value will cause undesirable behavior: the RTC stop motion is stored in the content that time in the sram cell and SRAM stored and is still keeping.The safety practice that has at least, for example long-time monitor may be invalid on the machine of postmarking.Long-time monitor works in following situation: far data center's time debt-credit amount given in advance or a time remaining phase, especially a fate or a fixed date, can report for work by communicating to connect up to this date device that postmarks.Can not postmark after arriving in time debt-credit amount or time limit.EP 660270A2 (US 5680463) serves as that topic has proposed a kind of method with " method and configuration that generation and test safety are printed ", it obtains up to the hypothesis time remaining phase that deposits fund in next time, and each machine that postmarks of on schedule not reporting for work is considered as being suspected by data center.The machine of being suspected of postmarking is notified to the post office, and the mail that stamp is crossed to the lid that comes out from the machine of being suspected of postmarking in the post office is checked.Expiring of time debt-credit amount or time limit also found out by the device that postmarks.The user is required to finish about overdue communication.
Security module is familiar with by everybody since electronic data-processing equipment is arranged.In order to resist the attack to electronic equipment, EP 417447B1 has advised a kind of sealing pack, and it wraps in electric supply installation and signal collection device and shield assembly in the shell.This shield assembly is made up of filler and coupling arrangement, connects electric supply installation and signal collection device on coupling arrangement.The latter responds to the connection changes in resistance of coupling arrangement.Security module comprises an internal cell in addition, and one is converted to the electric pressure converter of cell voltage by system voltage, power supply door and a short-circuit transistor and other sensors.When voltage drops to specified threshold when following, the action of power supply door.When connecting resistance, logical circuit was given response when temperature or light ray changed.Switch to low level by means of the power supply door or by means of the output terminal of logical circuit short-circuit transistor, the key that is stored in like this in the storer is eliminated.Yet for for the use in machine of postmarking or the postal processor, the serviceable life of the battery that can not change is too short, causes the serviceable life of security module too short thus.
Large-scale postal processor for example is JetMail Indicia prints is to realize by means of the ink jet-print head that static state is settled therein, and the transmission right and wrong level of mail, approach vertical.DE 19605105C1 has proposed a kind of suitable embodiment of printing equipment.Postal processor has a dial plate and a pedestal.Dial plate should assemble a shell, and makes element easily by approaching, and it must make it can resist attack by a postal security module, and this module is finished the clearing of postage at least.In order to get rid of the influence to program run, EP 789333A2 serves as a topic suggestion security module assembling special circuit (ApplicationSpecific Integrated Circuit) ASIC with " machine postmarks ", and it has a hardware clearing circuit.Special circuit is controlled the print data transmission to printhead in addition.Only this data transmission is only unwanted when producing unique print What for each mail.For example, advised a kind of suitable method and configuration that is used to produce and check a security printing among US 5712916 and the US 5734723 at US 5680463.One of them special-purpose safety label produces and is embedded in the printing curve with electronic method.
In undocumented German patent application 19816572.2 and 19816571.4, also propose security module and when being attacked, protected wherein other measures of the data of storage.Power consumption increases when a plurality of sensor is arranged, and one be not to draw the required electric current of sensor by the security module of system voltage power supply from its internal cell constantly, so battery is exhausted ahead of time.The capacity of battery and power consumption have limited the serviceable life of security module.
The same with many other products, the machine structure of postmarking has also realized modularization.This modularization makes module and the replacement of element of coming from a variety of causes become possibility.For example malfunctioning module can be removed and by checking, repair or replaced by new module.Because when changing those assemblies that comprise safety-relevant data, require the highest operant level, usually it is changed needs to be undertaken and taken some measures by the service technique personnel, and these measures are interrupted the function executing of security module during by against regulation use or unauthorized replacing in security module.But take these measure costs very expensive.
Summary of the invention
The objective of the invention is to, be implemented in the unauthorized manipulation that guarantees when security module is installed replaceably to resist to it with little expense.Its replacing should be carried out in simple as far as possible mode by anyone.
Above-mentioned task is finished like this:
The method of protection security module; described security module comprises first; second and the 3rd functional unit; wherein first functional unit is a processor; second functional unit is to have the voltage monitoring unit that can restore self-retaining function; and the 3rd functional unit is to have the not insertion detecting unit that can restore self-retaining function; comprise step: when security module is powered with system voltage, utilize first functional unit to monitor the state of security module; whether utilize second functional unit to monitor security module is used up to specificationly or is utilized the 3rd functional unit to monitor the replacing of security module; when against regulation use or replacing, remove sensitive data with second functional unit at least; when changing security module with the function of the 3rd functional unit locking security module; reinitialize the sensitive data that has been eliminated in security module use up to specification or after changing with first functional unit, by the release security module second and the 3rd functional unit are reworked.
Be used to be inserted into the security module on the equipment motherboard, comprise: store the memory of data relevant with security; Voltage monitoring unit, it provides operating voltage to described storer, to keep the described data storage relevant in storer with security, and when occurring showing security module by the voltage level of non-correct use and/or replacing, described voltage monitoring unit makes described storer disconnect from described voltage, is stored in wherein relevant data of described and security with removing; Do not insert detecting unit, it quits work described security module when changing described security module, and detecting unit also has self-retaining function, shows that described security module is replaced, when the measuring voltage level departed from predetermined voltage level, described self-retaining function was triggered; And be connected to described voltage monitoring unit and the described processor that does not insert detecting unit, after described security module and/or is changed non-correct use, described processor is by starting described voltage monitoring unit and the described detecting unit that do not insert restarts security module, shows describedly not insert detecting unit and restarted.
Starting point of the present invention is: confirm the machine of postmarking by means of functional unit, the replacing and the use of the security module of postal treating apparatus or similar devices are with the assurance of correctly carrying out its function about security module and even entire equipment of user that offers various device.The replacing of security module is detected and in case of necessity at least, sends as status signal when security module is plugged again and powers with system voltage afterwards.The state variation of security module is collected by means of first functional unit and a battery-powered detecting unit, and detecting unit has a recoverable holding circuit.First functional unit can be judged various states when it is powered by system voltage heavily again.Advantage is that the rapid reaction of the state variation of security module and detection cell circuit are had little battery power consumption and power without system voltage.
This has been avoided when changing the against regulation use of security module not only do not have system voltage when changing, and the battery of installing replaceably is also removed at least.More change jobs and to finish by unfamiliar personnel for making, and finish by the user fully in the future, second functional unit finished the monitoring that the voltage when changing battery descends, and first functional unit continuation of at first disposing responsive data and restriction or interrupting security module is fully simultaneously used.In the process of resuming operation afterwards first functional unit force security module with one far data center contact to discharge at least one functional unit.Be replaced if security module is up to specification, when resuming operation, reinitialize sensitive data.In order to set up contact, can utilize the method that adopts numeral or analog transmission circuit.
After completing successfully dynamic insertion detection, reinitialize by means of first functional unit and communicating to connect of data center far away, through interface circuit loop exchange message, the transmission that these information are error-free has proved that the security module structure is up to specification when first functional unit detects.The release of the functional unit of security module is restored by it and is realized.First functional unit is a processor that is connected with other functional units, and it is programmed to determine various states.Second functional unit is one and has the voltage monitoring unit that can restore holding circuit that the 3rd functional unit is one and has the not insertion testing circuit that can restore holding circuit.
Description of drawings
Describe the preferred embodiments of the invention in detail by means of accompanying drawing below.In the accompanying drawing
Fig. 1 is the block scheme and the interface of security module,
Fig. 2 is the frame circuit diagram of the machine of postmarking,
Fig. 3 is the skeleton view that the machine of postmarking is looked from behind,
Fig. 4 is the frame circuit diagram of security module (second kind of form),
Fig. 5 is detection cell circuit figure,
Fig. 6 is the side view of security module,
Fig. 7 is the top view of security module,
Fig. 8 a is the right view of security module,
Fig. 8 b is the left view of security module,
Embodiment
Fig. 1 illustrates the block scheme of security module 100, and security module has web member 101,102 that is used for connecting interface 8 and the cell connection terminal 103 and 104 that is used for the battery interface of battery 134.Though security module is poured into the perfusion material that solidifies, the battery 134 of security module 100 is installed in replaceably on the circuit board and pours into outside the material.Circuit board is loaded with the cell connection terminal 103 and 104 of the electrode that is used to connect battery 134.Be inserted on the corresponding interface 8 of mainboard (motherboard) 9 by means of web member 101,102 security modules 100.Communicating to connect of the system bus of first web member 101 foundation and control device, second web member 102 is used for the power supply of system voltage to security module 100.Through the pin p3 of web member 101, p5-p19's is address and data line 117,118 and control line 115.First web member 101 and/or second web member 102 are used to whether the insertion of security module 100 is carried out static state and dynamic monitoring.Pin p23 and p25 that the system voltage of mainboard 9 passes through web member 102 to the power supply of security module 100 realize, and by pin p1, p2 and p4 are realized dynamically detecting with dynamic non-insertion by safe unit 100.
Security module 100 has a microprocessor 120 in the mode that everybody was familiar with, and it has a not shown integrated ROM (read-only memory) that specific program is housed (inner ROM), and this program is that post office or post office senior officer allow to be used to the machine of postmarking.Also can on internal data bus 136, connect a read only memory ROM commonly used or FLASH storer.
Security module 100 has 130, one special circuit ASIC 150 of a reset unit and a logic PAL in the mode that everybody was familiar with, and it is as the control-signals generator of ASIC.Reset unit 130, special circuit 150 and logic PAL and may also have other not shown storeies by lead 191 and 129 by system voltage U s +Power supply, this voltage is provided by mainboard 9 when the machine of postmarking starts.The major part of postal security module PSM has been described in EP 789333A2, and it realizes the clearing and the safety of postage data.
System voltage U in addition s +Be added to the input end of voltage monitoring unit 12 through diode 181 and lead 136.Output terminal at voltage monitoring unit 12 provides second operating voltage U b +, its process lead 138 is for using.When postmarking device, replacing do not have system voltage U s +, and cell voltage U is only arranged b +For using.Cell connection terminal 104 ground connection that connect battery cathode.Provide cell voltage from the cell connection terminal 103 that connects anode, be added to the input end of voltage monitoring unit through 193, the second diodes 182 of lead and lead 136.Commercially available electric pressure converter 180 also can be in order to substitute two diodes 181,182.
The output of voltage monitoring unit 12 is connected to 120 second operating voltage U of processor by lead 138 b +Input end, this voltage is connected to a RAM memory block 122,124 at least, and as long as second operating voltage meet the requirements of size, just guarantee the non-volatile memory of above-mentioned memory block.Preferably processor 120 contains an internal RAM 124 and a real-time clock (RTC) 122.
Voltage monitoring unit 12 in the security module has a recoverable holding circuit, and it can be restored through lead 164 inquiries and through lead 135 by processor 120.Voltage monitoring unit 12 has the circuit component that is used for the holding circuit recovery.When cell voltage surpasses specified threshold, restore and just can be triggered. Lead 135 and 164 is connected to a pin (pin 1 and 2) of processor.Lead 164 gives a status signal to processor 120, and lead 135 adds a control signal to voltage monitoring unit 12.
Lead 136 on voltage monitoring unit 12 input ends is given with operating voltage or cell voltage simultaneously and is not inserted detecting unit 13 power supplies.Do not insert detecting unit 13 and provide status signal on the pin 5 of delivering to processor 120 on the lead 139, this signal provides the indication about circuit state.Do not insert the state of detecting unit 13 is inquired about by processor 120 through lead 139.Processor can not insert detecting unit 13 with a signal restoring that provides through lead 137 from the pin 4 of processor 120.After this restores, static check is done in connection.For this reason through lead 192 inquiry earth potentials, the link p4 that this earth potential is added in the interface 8 of postal security module PSM 100 go up and and if only if security module 100 just can be queried to when normally being inserted.The earth potential of the negative pole 104 of the battery 134 of postal security module PSM 100 is added on the link p23 of interface 8 when inserting security module 100, so it can not inserted detecting unit 13 and inquires by lead 192 on the link p4 of interface 8.
Connect a wire loop on the pin 6 and 7 of processor 120, it forms the loop through the pin p1 and the p2 of the web member 102 of interface 8 for processor 120.Whether postal security module PSM 100 inserts on the mainboard 9 for dynamic chek, and processor 120 provides the signal level of variation and returns to pin 6,7 and through wire loop with the complete random time interval.
Postal security module PSM 100 is equipped with a long-life batteries, and it can not monitor operating position yet when security module adds the system voltage of postal treating apparatus.Use up to specification, operation is installed or the suitable environment of packing into is the characteristic that the functional unit of security module is checked.Original installation is undertaken by the producer of postal security module.Whether (postal treating apparatus) separates from its field of employment at first only to check postal security module after original installation, and this separation appears at when changing it usually.
The monitoring of this state is not undertaken by inserting detecting unit 13.At this moment monitor a voltage swing by the ground on the pin p4 that receives interface 8.This was disconnected with being connected of ground when changing functional unit, does not insert detecting unit 13 it is responded as information.Because when each security module 100 is separated with interface 8, the circuit structure of reserve battery power supply has guaranteed the storage of above-mentioned information, and the analysis and utilization of this information can carry out at any time, reworks if wish.By this separation signal on the lead 139 of judging detecting unit 13 regularly or do not insert signal and make processor 120 can remove sensitive data, and do not change clearing and customer data in the NVRAM storer.This momentary state of having removed sensitive data of postal security module can be regarded as maintenance state, changes under this state usually, repairs or other work.Because the sensitive data of functional unit is eliminated, owing to the mistake that the against regulation operation to postal security module produces has been avoided.This sensitive data for example is a key.Processor 120 has stopped the Core Feature of postal security module under maintenance state, and these functions are for example to settle accounts and/or ask for the security code that is used for the secure print safety label.
In order to resume work, postal security module PSM at first is inserted into and sets up with the corresponding interface 8 of postal treating apparatus and is electrically connected.Then start equipment, thereby postal security module is heavily again by system voltage U s +Power supply.Based on this special state, whether up to specification must the reexamining of packing into of postal security module by its functional unit.Carry out the second level for this reason and check (dynamically insert and detect).Connect exchange message by the work of setting up between the current return 18 of first functional unit (processor 120) and interface 8, its error-free transmission has confirmed to install up to specification.This is the condition precedent of successfully reworking.
Only need reinitialize sensitive data now in order to enter duty.Certainly and between the 3rd department communicate at the safe mould of postal service, to transmit these sensitive datas.Do not insert after transmission is finished that detecting unit 13 is restored and postal security module rearming, the process of reworking finishes.
Fig. 2 illustrates the frame circuit diagram of the machine of postmarking, and it has the chip card read-write cell 70 and the printing equipment 2 by control device 1 control that are used for loading by chip card delta data.Control device 1 has a mainboard 9 that is equipped with microprocessor 91 and respective memory 92,93,94,95.
Program storage 92 contains and is used to the working routine printed at least, and contains at least and security-related program, and it is used for the format conversion of predesignating of part useful data.
Working storage RAM 93 is used for the intermediate storage of the easy mistake of intermediate result.Nonvolatile memory NVM 94 is used for the non-volatile intermediate storage of data, and data for example are the statisticss by paying place ordering.Calendar/clock 95 contains addressable non-volatile memory district in case of necessity, is used for the non-volatile intermediate storage of intermediate result or disclosed program part (for example DES algorithm).Control device 1 is connected with chip card read-write cell 70, the microprocessor 91 of control device 1 be programmed the valid data N that loads to come from the memory block of chip card 49 to the machine of postmarking with the corresponding memory block of its application.First chip card 49 that inserts the slot 72 of chip card read-write cell 70 allows to download and is used for a kind of data set of application at least to the machine of postmarking.Chip card 49 for example has, and all common post office business produce marking figure and cover the post office marked price to mail for the machine that postmarks by postage and a post office mark of post office price list.
Control device 1 constitutes original dial plate, and it has the device 91 to 95 of mainboard 9 and comprises keyboard 88, display unit 89 and special circuit ASIC 90 and be used for the determine interface 8 of PSM 100 of postal safe mould.Security module PSM 100 is connected with microprocessor 91 with ASIC 100 by bus, is connected with display unit 89 with the device 91 to 95 of mainboard 9 at least by parallel μ c bus.Control bus connects signal CE, RD and WR between security module PSM 100 and ASIC 90.Microprocessor 91 preferably has a pin to be used for providing look-at-me i by security module PSM 100, other links are used for keyboard 88, a serial line interface S1-1 is used to connect chip card read-write cell 70, and a serial line interface S1-2 is used for the additional modulator-demodular unit that connects.Can for example be increased in the content of storing in the nonvolatile memory of postal security module PSM 100 by means of modulator-demodular unit.
Postal security module PSM 100 is encapsulated in security personnel's shell.In postal security module PSM 100, finish the clearing of hardware before postmarking at every turn.Finishing with paying place of clearing is irrelevant.Postal security module PSM 100 inside are implemented can describing in detail in Europe report EP 789333A3.
ASIC 90 has one to connecing the serial interface circuit 98 of equipment before the postal service stream, one to the sensor of printing equipment 2 and the serial interface circuit 96 of performer, serial interface circuit, and a serial interface circuit to the printing equipment 20 in the postal service stream follow-up equipment to the printing control circuit 16 of printhead 4.DE 19711997 is available Peripheral Interface embodiments, and it is applicable to many peripheral hardwares (station), and its exercise question is: realize the configuration of communication between the base station of postal processor and other stations and emergency cut-off thereof.
The interface circuit 96 that is connected with interface circuit 14 in the machinery bed provides at least and sensor 6,7,17, with performer, for example, regulate station RDS 40 with the purification and the denseness of ink jet-print head 4 with the drive motor 15 of roller 11, and with machinery bed in being connected of tag generator 50.The scheme that matching relationship between main configuration and ink jet-print head 4 and the RDS 40 can adopt DE 19726642C2 to propose, its exercise question is: realize the configuration of the location of ink jet-print head and purification and denseness regulating device.
One that is installed in the sensor 7,17 on the header board is to be used for mail to transmit the sensor 17 that preparation is printed in starting.Sensor 7 is used for the mail transmission prints to purpose with starting the initial identification of mail.Conveyer is by a travelling belt 10 and two roller 11,11 ' compositions.One of them roller is the drive roller 11 that is equipped with motor 15, another be driven tension force roller 11 '.Preferably drive roller 11 is designed to the gear roller, and correspondingly travelling belt 10 also is designed to the gear travelling belt, and it guarantees clear and definite power transmission.Scrambler 5,6 and roller 11,11 ' in one be coupled.Preferably drive roller 11 is fixedly mounted on the axle with an increment generator 5.Increment generator 5 for example is designed to disk plate with slots, and it is worked with a grating 6, and provides coded signal to mainboard 9 through lead 19.
Each type element of printhead is connected with printhead circuit in its shell, and the printhead that accurate electricity is printed is controlled.Print control and realize that based on path control wherein selected marking prescription is taken into account, this prescription is by keyboard 88 or be not that easy lost territory is stored among the storer NVM 94 by the chip card input when needed.The printing of plan is not by marking prescription (printing), and indicia prints figure and other are used for the printing curve of ad content in case of necessity transports information (selective printing) and adds editable notice generation.Nonvolatile memory NVM 94 has a plurality of memory blocks.Store the postage table of download there non-volatilely.
Chip card read-write cell 70 is made up of the mechanical carrier and the linkage unit 74 of corresponding microprocessor card.The latter makes and remains on the read-out position reliably on the chip card machinery and indicate chip card to arrive at read-out position clearly in linkage unit.Microprocessor card with microprocessor 75 has the programming readout capacity to all types of memory cards and chip card.With the interface of the machine of postmarking be the serial line interface that meets RS 232 standards.Data transmission rate is minimum to be the 1.2K baud.The connection of power supply realizes by means of the switch 71 that is installed on the mainboard.After energized, test oneself and send and be ready to notice.
Fig. 3 illustrates the skeleton view that the machine of postmarking is looked from behind, and the machine that postmarks is made of dial plate 1 and pedestal 2.The latter is equipped with chip card read-write cell 70, it be installed in header board 20 the back and can be from shell upper edge 22 near it.Chip card 49 is inserted in the insertion groove 72 from the top down start the machine of postmarking with switch 71 after.The mail 3 that is admitted to stands on the edge, lies on the header board with its forward that is printed, and it is printed a last postmark 31 according to the input data then.Mail input perforate is limited from the side by transparent panel 21 and guide plate 20.The state indication that is inserted in the security module 100 on dial plate 1 mainboard 9 can be seen from the outside by perforate 109.
Fig. 4 illustrates the frame circuit diagram of a kind of preferred form of postal security module PSM 100.The negative pole of battery 134 be connected to the pin p23 of web member 102 on.The positive pole of battery 134 is connected to the input end of electric pressure converter 180 by lead 193, and the lead 191 of feeder system voltage is connected with another input end of electric pressure converter 180.Life-span can reach the SL-386/p type battery that the SL-380/p type battery in 3.5 years or life-span can reach 6 years and is suitable for use as battery 134 when PSM 100 maximum power consumptions.Commercially available ADM 8693ARN type circuit can be used as electric pressure converter 180.The output terminal of electric pressure converter 180 is received battery detection unit 12 and detecting unit 13 through lead 136.Battery detection unit 12 and detecting unit 13 establishes a communications link with the pin 1,2,4 and 5 of processor 120 through leads 135,164 and 137,139.The output of electric pressure converter 180 also is connected to the power supply input end of first storer SRAM through lead 136, this storer is converted into the nonvolatile memory NVRAM of first kind of technology when having battery 134.
Security module connects through system bus 115,117,118 and the machine of postmarking.Processor 120 can establish a communications link with data center far away through system bus and modulator-demodular unit 83.Clearing are finished by ASIC 150 and are checked by processor 120.Postal settlement data is stored in the nonvolatile memory of different process.
System voltage is added to the power supply input end of second storer NV-RAM 114.It is the nonvolatile memory NVRAM of second kind of technology, (SHADOW-RAM).This second kind of technology preferably comprises a RAM and an EEPROM, and wherein the latter preserves data content automatically when system voltage interrupts.The NVRAM 114 of second kind of technology is connected with data input pin with the appropriate address input end of ASIC 150 through internal address bus and data bus 112,113.
ASIC 150 comprises a hardware clearing unit that is used to calculate the postal data that will store at least.In programmable logic array (PAL) 160, arranged the access logic on the ASIC 150.ASIC 150 is subjected to logic PAL 160 controls.The address bus of mainboard 9 and data bus 117,115 are connected on the corresponding pin of logic PAL 160, and PAL 160 produces a control signal and the control signal 119 to program storage FLASH 128 that is used for ASIC 150 at least.Program of processor 120 operations, it is stored among the FLASH 128.Processor 120, FLASH 28, and ASIC 150 and PAL 160 interconnect by the system bus of inside modules, and bus comprises and is used for data-signal, the lead 110,111,126,119 of address signal and control signal.
The processor 120 of security module 100 is connected with ASIC 150 with FLASH 128 by internal data bus 126.FLASH 128 is by system voltage U s +Power supply.For example it is the AM29F01045EC type FLASH storer of a 128K byte.The ASIC 150 of postal security module 100 receives address 0 to 7 on the corresponding address input end of FLASH 128 by the address bus 110 of inside modules.The processor 120 of security module 100 is received address 8 to 15 on the corresponding address input end of FLASH 128 by internal address bus 111.The ASIC 150 of security module 100 is by the web member 101 of interface 8 and the data bus 118 of mainboard 9, and address bus 117 and control bus 115 connect.
Processor 120 has storer 122,124, from the operating voltage U of voltage monitoring unit 12 b +Power to them by lead 138.Especially real-time clock RTC 122 and memory RAM 128 are powered by operating voltage by lead 138.Voltage monitoring unit (battery observer) 12 gives a status signal 164 and responsive control signal 135.Electric pressure converter 180 provide output voltage to the lead 136 to battery observer 12 and storer 116 power supplies, its output voltage is big that in its two input voltages.Because this circuit is according to voltage U s +And U b +Size from employing bigger in two power supply, therefore battery 134 can be replaced and loss of data can not take place when operate as normal.
Under aforesaid way, give real-time clock (RTC) 122 and/or static RAM (SRAM) (SRAM) 124 power supplies by the battery 134 of security module 100 in time out of service outside operate as normal, this clock have the date and/or period time register, SRAM preserves the relevant data of safety.If cell voltage drops to below the specified threshold when battery operated,, restore up to it, so the supply voltage of RTC and SRAM is 0 volt then by the feeding point ground connection of voltage monitoring unit 12 with RTC and SRAM.This SRAM 124 that causes comprising for example important key is cleared very soon.The register of RTC 122 also is eliminated and loses real-time clock time and real-time date simultaneously.Avoided stopping and safe relevantly do not lose by above-mentioned action at the machine clock 122 that may be subjected to postmarking when handling the attack that cell voltage carries out.Thereby no longer need the safety practice as for example long-time timer or monitor to tackle attack.
Reset unit 130 is connected with the pin 3 of processor 120 and of ASIC 150 by lead 131.The reseting signal reset that processor 120 and ASIC 150 produce in the unit of being reset 130 when supply voltage descends.
Simultaneously foregoing circuit enters the self-insurance state with the battery low-voltage indication, even voltage had raise and also still remains on this state afterwards.But the state of processor enquiry circuit (status signal) and/or judge in front that by the content that reads the storer that is eliminated cell voltage once dropped to below the setting in the time when next time opening module.Processor can restore observation circuit, promptly recovers its function.
Do not insert detecting unit 13 in order to measure input voltage, pin and the interface 8 of a lead 192 through security module is arranged, preferably a socket on the machine motherboard 9 that postmarks is connected with ground.This measures and is used as static state monitoring of whether inserting and the basis that constitutes first order monitoring.Do not insert detecting unit 13 and have the circuit component that is used for restoring holding circuit, and holding circuit starting when the regulation of the voltage deviation on the measuring voltage line 192 current potential.The processor 120 that is programmed simultaneously and is connected with other functions keeps or changes the corresponding state of security module 100 according to applied logic.The state of holding circuit is inquired about by the processor 120 of security module 100 through lead 139.Measuring voltage current potential when security module 100 normal insertions on the lead 192 is current potential accordingly, is the operating voltage current potential on the lead 139.The ground voltage current potential is not on lead 139 when security module 100 is not inserted.The 5th pin of processor 120 connects lead 139, and do not insert the state of detecting unit 13 with inquiry: whether this pin is received on the earth potential by holding circuit.In order to restore the holding circuit that does not insert detecting unit 13 through lead 137, processor 120 adopts its 4th pin.
Have a current return 18 in addition, its pin by security module and the socket on the machine mainboard 9 that postmarks are connected with each other the pin 6 and 7 of processor 120.Lead on the pin 6 and 7 of processor 120 only just connects into current return 18 when PSM 100 inserts on the mainboard 9.This loop constitutes the basis that whether the dynamic monitoring security module is inserted on the second level.
There are 121, one real-time clock RTC122 of a processing unit CPU processor 120 inside, a ram cell 124 and an I/O unit 125. Pin 8,9 at least one signal of output of processor 120 are in order to the state of indication security module 100.Pin 8 is connected the I/O mouth of I/O unit 125 with 9, be connected to the indicating device of inside modules on it, and for example the colorful light-emitting diode (LED) 107,108, the state of their indication security modules 100.Security module can be under the different states in its lifetime.Thereby for example must whether contain effective key by detection module.Fault is normally still arranged also is important to the determination module function in addition.The function of the accurate type of module status and quantity and module realization is relevant with realization.
The circuit of detecting unit 13 is described by Fig. 5 below.Do not insert detecting unit 13 and have a voltage divider, it is by resistance 1310,1312, and 1314 series circuit constitutes, and this voltage divider is connected between the supply voltage current potential and the measurement current potential on the lead 192 that connects capacitor 1371.Circuit is powered by system voltage or cell voltage by lead 136.The supply voltage of lead 136 arrives on the capacitor 1371 of circuit by secondary pipe 1369.The outgoing side of circuit has a phase inverter 1320,1398.The transistor 1320 of phase inverter ends under normal condition, and supply voltage is added on the lead 139 through resistance 1398, so output logic ' 1 ' is a high level under normal condition.Preferably the low level on the lead 139 is not as inserting status signal, because do not have electric current to flow in processor 120 pins 5 like this, this will increase battery life.Diode 1369 is preferably with electrolytic condenser 1371 power supply, make that voltage on the lead 136 is cut off after, the circuit of phase inverter front still obtains supply voltage in interval when long relatively (greater than 2s), guarantee its function.
Voltage divider 1310,1312,1314 have a leading-out end 1304, connect the in-phase input end of capacitor 1306 and comparer 1300 on it.The inverting input of comparer 1300 connects reference voltage source 1302.The output of comparer 1300 connects lead 139 through phase inverter 1320,1398 on the one hand, and the control input end with holding circuit element 1322 is connected on the other hand.Circuit component 1322 is in parallel with the resistance 1310 of voltage divider, and circuit component 1316 is used for restoring holding circuit, and it is connected between leading-out end 1304 and the ground.The leading-out end 1304 of voltage divider is positioned at the tie point of resistance 1312 and 1314.The capacitor 1306 that is connected between leading-out end 1304 and the ground stops vibration.Voltage on the leading-out end 1304 of voltage divider in comparer 1300 with the reference voltage in source 1302 relatively.If the voltage that is compared on the leading-out end 1304 is less than the reference voltage in source 1302, comparer output keeps low level, and the transistor 1320 of phase inverter ends.Lead 139 has the operating voltage current potential like this, and status signal is a logical one.Voltage divider be designed such that lead 192 during for earth potential the voltage on the leading-out end 1304 be lower than the handoff threshold of comparer 1300 reliably.If because security module 100 breaks away from and makes to connect and be cut off and lead 192 ground connection no longer that then the voltage on the leading-out end 1304 surpasses the voltage of reference voltage source 1302, comparer 1300 counter-rotatings from the socket of mainboard 9 or the machine interface 8 that postmarks.Comparer output switches to high level, transistor 1320 conductings.Lead 139 earthing potentials like this, status signal is a logic ' 0 '.
Realize not inserting the holding circuit of detecting unit 13 by means of the transistor in parallel 1322 with the resistance 1310 of voltage divider.The control input end of transistor 1322 is compared the device output terminal and receives on the high level.Thereby transistor 1322 conductings and being connected across on the resistance 1310, thereby voltage divider only also is made of resistance 1312 and 1314.Handoff threshold is further improved like this, makes still to remain on inverted status when comparer when inserting security module again and make lead 192 receive earth potential heavily again.
The state of circuit can be by the signal on the lead 139 by processor 120 inquiries.
Do not insert detecting unit 13 and have the circuit component that is used for restoring holding circuit: lead 137 and circuit component 1316.The signal triggering that recovery is passed through on the lead 137 by processor 120.
Processor 120 can pass through special circuit ASIC 150 at any time, first web member 101, the system bus of control device 1, and for example set up with data center far away through modulator-demodular unit by microprocessor 91 and contact, this center checks that settlement data also transmits other data in case of necessity and arrives processor 120.The special circuit ASIC 150 of security module 100 is connected with processor 120 through the data bus 126 of inside modules.
Successfully be through with by means of the data that transmit reinitialize after, processor 120 can restore and not insert detecting unit and make transistor 1316 conductings by the release signal that is added on the lead 137 for this reason, and following and transistor 1320 and 1322 ends thereby the voltage on the leading-out end 1304 is pulled to the reference voltage in source 1302.Transistor 1322 ends under normal condition, and resistance 1310 and 1312 series connection constitute the upper part of above-mentioned voltage divider, thereby handoff threshold drops to original state heavily again.
Fig. 6 illustrates the side view of security module physical construction.This security module is configured to multi-chip module, and promptly a plurality of functional units are contained on the circuit board 106.Perfusion material 105 perfusions that security module 100 usefulness are solidified, wherein the battery 134 of security module 100 is installed in replaceably on the circuit board 106 and pours into outside the material 105.For example, so, make indicating device 107,108 from the perfusion material, stretch out, and circuit board 106 stretch out second position from the side with the battery 134 that is placed in first position with 105 perfusions of perfusion material.Circuit board 106 also has the cell connection terminal 103 and 104 of the electrode that is used for connecting battery 134 in addition, and it is preferably on the circuit board 106 upper element installed surfaces.In order to insert postal security module PSM 100 on the mainboard of dial plate 1, web member 101 and 102 is installed in following (circuit surface) of the circuit board 106 of security module 100.Special circuit ASIC 150 establishes a communications link by the system bus of first web member 101 with not shown mode and control device 1, and second web member 102 is used for the power supply of system voltage to security module 100.If security module has been inserted on the mainboard, preferably like this it is contained in the dial plate shell then, make indicating device 107,108 near or put in the perforate 109.The dial plate shell is preferably so constructed, and makes the user can see the state indication of security module from the outside.Two light emitting diodes 107 of indicating device and 108 two output signals controls by I/O mouth on processor 120 pins 8,9.Two light emitting diodes are positioned in (two colorful light-emitting diode) in the common element shell, and the deviation of perforate and diameter can keep relatively littler and within the order of magnitude of indicating device like this.Can present three kinds of different colors (red, green, orange) in principle, yet only use wherein two kinds (red and green).For distinguishing state also can make the LED flicker, can distinguish 8 kinds of different state group like this, they are represented with following led state: LED does not work, and LED is red to be dodged, and the LED redness is bright, and LED is green to be dodged, and the LED green is bright.
Fig. 7 illustrates the top view of postal security module.
Fig. 8 a and 8b illustrate the view of the security module of right or left looking respectively.From Fig. 8 a and 8b, can know the position of finding out circuit board 106 following web members 101 and 102 in conjunction with Fig. 6.
According to postal equipment of the present invention mainly is the machine of postmarking.But security module also has other versions, can for example be inserted on the mainboard of personal computer, and it controls a commercially available printer as the PC-machine that postmarks.
The invention is not restricted to above-mentioned form of implementation, disclosed other configuration and embodiment of the present invention can be developed and utilize, and they are from basic ideas of the present invention and in the claims involved.

Claims (13)

1. protect the method for security module; described security module comprise first, second and the 3rd functional unit; wherein first functional unit is processor (120); second functional unit is to have the voltage monitoring unit (12) that can restore self-retaining function; and the 3rd functional unit is to have the not insertion detecting unit (13) that can restore self-retaining function, comprises step:
When powering with system voltage, security module utilize first functional unit to monitor the state of security module, whether utilize second functional unit to monitor security module is used up to specificationly or is utilized the 3rd functional unit to monitor the replacing of security module
When against regulation use or replacing, remove sensitive data with second functional unit at least,
When changing security module (100) with the function of the 3rd functional unit locking security module (100),
Reinitialize the sensitive data that has been eliminated in security module (100) use up to specification or after changing with first functional unit,
Rework by discharging second of security module (100) and the 3rd functional unit.
2. the method for claim 1, it is characterized in that, after whether it inserts and successfully carries out in detection of dynamic, first functional unit establishes a communications link with data center far away and realizes described reinitializing, wherein when detecting first functional unit by current return (18) exchange message of interface (8), delivery confirmation that it is error-free is installed and is met the requirements, and second of security module and the 3rd functional unit discharge by its recovery.
3. be used to be inserted into the security module on the equipment motherboard, comprise:
Store the memory of data relevant with security;
Voltage monitoring unit, it provides operating voltage to described storer, to keep the described data storage relevant in storer with security, and when occurring showing security module by the voltage level of non-correct use and/or replacing, described voltage monitoring unit makes described storer disconnect from described voltage, is stored in wherein relevant data of described and security with removing;
Do not insert detecting unit, it quits work described security module when changing described security module, and detecting unit also has self-retaining function, shows that described security module is replaced, when the measuring voltage level departed from predetermined voltage level, described self-retaining function was triggered; And
Be connected to described voltage monitoring unit and the described processor that does not insert detecting unit, after described security module and/or is changed non-correct use, described processor is by starting described voltage monitoring unit and the described detecting unit that do not insert restarts security module, shows describedly not insert detecting unit and restarted.
4. security module as claimed in claim 3, the wherein said detecting unit that do not insert comprises lead and on-off element, is used to restart described self-retaining function, described processor sends signal on described lead, to trigger described on-off element.
5. security module as claimed in claim 4, the wherein said detecting unit that do not insert comprises:
A voltage divider, it comprises a resistance in series circuit, a terminal that is used to receive supply voltage is crossed in the cross-over connection of described resistance in series circuit, and picks out a capacitor by the leading-out end branch, also comprises a lead, is applied with measuring voltage on it;
One is connected and is used to receive the described terminal of described supply voltage and the diode between the described capacitor;
A comparer, it has a non-inverting input and an inverting input that is connected to reference voltage source, and a comparator output terminal;
From another capacitor that described voltage divider branch picks out, be connected to the described non-inverting input of described comparer;
Described comparator output terminal is connected to a lead that is in a voltage potential by a phase inverter;
An on-off element has the control input end that is connected to described comparator output terminal, and described on-off element has produced described self-retaining function, and is connected in parallel with a resistance of described voltage divider; And
Described on-off element is used to restart described self-retaining function, described on-off element be connected to described voltage divider be used to connect between the leading-out end and ground of described another capacitor.
6. security module as claimed in claim 5 also comprises an inquiry lead, and it is connected described processor and described the insertion between the detecting unit, is used for by the described self-sustaining state that does not insert detecting unit of described processor inquiry.
7. security module as claimed in claim 6, the wherein said lead that is applied with described measuring voltage is in earth potential, and wherein when described security module is inserted on the described equipment motherboard, be connected to described comparator output terminal, the described lead that is in a voltage potential is in the operating voltage current potential, otherwise, if described security module is not inserted on the described equipment motherboard, the lead that then is connected to described comparator output terminal is in earth potential.
8. security module as claimed in claim 3, wherein said storer is included in the described processor, when described processor is powered with system voltage, described storer is powered with operating voltage by described voltage monitoring unit, and wherein said processor has a terminal, be used to restart the described described self-retaining function that does not insert detecting unit, described processor also has another terminal, is used to inquire about the described state that does not insert detecting unit.
9. security module as claimed in claim 8, also comprise a special IC, it is connected to described processor by internal data bus, and described special IC has first group of splicing ear, is used to be connected to the system bus of the equipment that comprises described equipment motherboard.
10. security module as claimed in claim 3, also comprise a printed circuit board (PCB), with machinery and electric mode described processor, described electric voltage observation circuit and the described detecting unit that do not insert have been installed on this printed circuit board (PCB), described printed circuit board (PCB) has the splicing ear that is used to connect battery;
A security module shell, formed on every side at described printed circuit board (PCB) and described processor mounted thereto, described electric voltage observation circuit and the described detecting unit that do not insert by the perfusion material that solidifies, described splicing ear is open towards the outside of described shell;
Battery is connected to described splicing ear replaceably in the outside of described shell; And
Described printed circuit board (PCB) has first group of splicing ear, can be from the outside contact of described shell, be used for communicating with the system bus that includes the equipment of described equipment motherboard, also have second group of splicing ear, can be from the outside contact of described shell, be used for receiving system voltage, and at least one group of splicing ear in described first group of splicing ear and the described second group of splicing ear be connected to the described detecting unit that do not insert, be used for monitoring the insertion state of described security module.
11. security module as claimed in claim 10, wherein said processor comprises some contacts, is used for when described security module is inserted on the described equipment motherboard, monitors the described insertion state of described security module by the lead that forms circuit loop.
12. security module as claimed in claim 3, wherein said preparation implement are useful on transmission, and at least one discerns the contact of the signal of described security module state.
13. security module as claimed in claim 12, wherein said processor is connected to an I/O unit, described I/O unit has input/output end port, also has at least one interior signaling unit, and it is connected internally on the described input/output end port in described security module.
CNB001038745A 1999-03-12 2000-03-10 Method for protection of safety module and configuration for carrying out said method Expired - Lifetime CN1156801C (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE19912781A DE19912781A1 (en) 1999-03-12 1999-03-12 Method for protecting a security module and arrangement for carrying out the method
DE19912781.6 1999-03-12

Publications (2)

Publication Number Publication Date
CN1276579A CN1276579A (en) 2000-12-13
CN1156801C true CN1156801C (en) 2004-07-07

Family

ID=7901896

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB001038745A Expired - Lifetime CN1156801C (en) 1999-03-12 2000-03-10 Method for protection of safety module and configuration for carrying out said method

Country Status (5)

Country Link
US (1) US6952777B1 (en)
EP (1) EP1035517B1 (en)
CN (1) CN1156801C (en)
AU (1) AU2081100A (en)
DE (2) DE19912781A1 (en)

Families Citing this family (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE19928057B4 (en) 1999-06-15 2005-11-10 Francotyp-Postalia Ag & Co. Kg Security module and method for securing the postal registers from manipulation
DE19928061C2 (en) 1999-06-15 2003-08-28 Francotyp Postalia Ag Security module to monitor system security and procedures
DE19928058B4 (en) 1999-06-15 2005-10-20 Francotyp Postalia Ag Arrangement and method for generating a security impression
DE10061665A1 (en) 2000-12-11 2002-06-20 Francotyp Postalia Gmbh Method for determining a need to replace a component and arrangement for carrying out the method
DE10116703A1 (en) * 2001-03-29 2002-10-10 Francotyp Postalia Ag Method for recording a consumption value and consumption counter with a sensor
DE10136608B4 (en) 2001-07-16 2005-12-08 Francotyp-Postalia Ag & Co. Kg Method and system for real-time recording with security module
DE10312654B4 (en) * 2003-03-21 2005-06-09 Thales E-Transactions Gmbh Electronic protection device for parts of assemblies
DE10337567B3 (en) * 2003-08-14 2005-01-13 Thales E-Transactions Gmbh Protective structure for securing hardware against break-in, has contact between elastomer and circuit board interrupted when attempt is made to remove circuit board
DE102004028338A1 (en) * 2004-06-11 2006-01-12 Siemens Ag tachograph
FR2872947B1 (en) * 2004-07-08 2007-04-20 Neopost Ind Sa BUFFER WITH ELECTRONIC AFFRANCHIR
DE102007011309B4 (en) * 2007-03-06 2008-11-20 Francotyp-Postalia Gmbh Method for authenticated transmission of a personalized data record or program to a hardware security module, in particular a franking machine
US9355277B2 (en) * 2012-08-31 2016-05-31 Ncr Corporation Installable secret functions for a peripheral
US10008104B2 (en) * 2014-04-25 2018-06-26 Tyco Safety Products Canada Ltd. Security system output interface with overload detection and protection
RU2628142C1 (en) * 2016-06-16 2017-08-15 Валерий Аркадьевич Конявский Method for protecting computer
DE102016114805A1 (en) * 2016-08-10 2018-02-15 Kriwan Industrie-Elektronik Gmbh Method and embedded system for monitoring, controlling or regulating a machine
RU2630890C1 (en) * 2016-12-29 2017-09-13 Владимир Дмитриевич Новиков Method of providing protected work of computing means and device for its implementation
RU175189U1 (en) * 2017-04-07 2017-11-27 Валерий Аркадьевич Конявский COMPUTER FOR WORK IN THE TRUSTED COMPUTER ENVIRONMENT
RU182701U1 (en) * 2017-12-18 2018-08-28 Валерий Аркадьевич Конявский TRUSTED COMPUTER

Family Cites Families (29)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPS5880755A (en) * 1981-11-09 1983-05-14 Sharp Corp Electronic computer
GB2144081B (en) 1983-07-23 1987-10-28 Pa Consulting Services Postal franking machines
US4575621A (en) * 1984-03-07 1986-03-11 Corpra Research, Inc. Portable electronic transaction device and system therefor
JPS6227843A (en) * 1985-07-29 1987-02-05 Sharp Corp Electronic equipment
US4804957A (en) * 1985-11-27 1989-02-14 Triad Communications, Inc. Utility meter and submetering system
GB2183852A (en) * 1985-11-27 1987-06-10 Triad Communications Inc Utility meter
US4903232A (en) * 1987-06-26 1990-02-20 Connell James A O Electronic programmable stamping marking device
US5185717A (en) * 1988-08-05 1993-02-09 Ryoichi Mori Tamper resistant module having logical elements arranged in multiple layers on the outer surface of a substrate to protect stored information
FR2640798B1 (en) * 1988-12-20 1993-01-08 Bull Cp8 DATA PROCESSING DEVICE COMPRISING AN ELECTRICALLY ERASABLE AND REPROGRAMMABLE NON-VOLATILE MEMORY
US5097253A (en) * 1989-01-06 1992-03-17 Battelle Memorial Institute Electronic security device
US5027397A (en) * 1989-09-12 1991-06-25 International Business Machines Corporation Data protection by detection of intrusion into electronic assemblies
IL95903A (en) * 1989-10-03 1995-08-31 Univ Technology Electro-active cradle circuits for the detection of access or penetration
JPH0685320B2 (en) * 1989-10-31 1994-10-26 シャープ株式会社 Battery storage mechanism for electronic devices
US5515540A (en) * 1990-08-27 1996-05-07 Dallas Semiconducter Corp. Microprocessor with single pin for memory wipe
DE4213278C2 (en) 1992-04-16 1998-02-19 Francotyp Postalia Gmbh Arrangement for franking mail
US5490077A (en) 1993-01-20 1996-02-06 Francotyp-Postalia Gmbh Method for data input into a postage meter machine, arrangement for franking postal matter and for producing an advert mark respectively allocated to a cost allocation account
DE4333156C2 (en) * 1993-09-29 1995-08-31 Siemens Ag Circuit arrangement for connecting an electronic assembly to an operating voltage
DE4344476A1 (en) 1993-12-21 1995-06-22 Francotyp Postalia Gmbh Process for improving the security of franking machines
DE4344471A1 (en) 1993-12-21 1995-08-17 Francotyp Postalia Gmbh Method and device for generating and checking a security impression
GB9514096D0 (en) * 1995-07-11 1995-09-13 Homewood Clive R Security device
DE19605015C1 (en) 1996-01-31 1997-03-06 Francotyp Postalia Gmbh Device for printing on print carrier standing on edge e.g. letter in franking or addressing machine
DE59710554D1 (en) 1996-01-31 2003-09-18 Francotyp Postalia Ag franking machine
DE19610070A1 (en) 1996-03-14 1997-09-18 Siemens Ag Smart card
CA2271097A1 (en) * 1996-11-07 1998-05-14 Edward Naclerio System for protecting cryptographic processing and memory resources for postal franking machines
US6292898B1 (en) * 1998-02-04 2001-09-18 Spyrus, Inc. Active erasure of electronically stored data upon tamper detection
US6105136A (en) * 1998-02-13 2000-08-15 International Business Machines Corporation Computer system which is disabled when it is disconnected from a network
US5969504A (en) * 1998-03-06 1999-10-19 The Johns Hopkins University Automatic battery power switch
US6185645B1 (en) * 1998-06-08 2001-02-06 Micron Electronics, Inc. Method for removing power and signals from an inadvertently swapped bus card
US6088762A (en) * 1998-06-19 2000-07-11 Intel Corporation Power failure mode for a memory controller

Also Published As

Publication number Publication date
EP1035517B1 (en) 2008-08-20
DE50015314D1 (en) 2008-10-02
EP1035517A2 (en) 2000-09-13
EP1035517A3 (en) 2000-12-20
DE19912781A1 (en) 2000-11-23
CN1276579A (en) 2000-12-13
AU2081100A (en) 2000-09-14
US6952777B1 (en) 2005-10-04

Similar Documents

Publication Publication Date Title
CN1156801C (en) Method for protection of safety module and configuration for carrying out said method
CN1148705C (en) Safety module configuration
CN1156800C (en) Method for protecting safety modular and configuration for realising said method
EP0969421B1 (en) Method for improving the security of franking machines
EP0892370B1 (en) Secure metering vault having led output for recovery of postal funds
EP0762337A2 (en) Method and device for enhancing manipulation-proof of critical data
CN100459367C (en) Power-supply battery compensating system and its operation for electric automobile
CN202197131U (en) Self-diagnosis intelligent electric automobile charging pile circuit
CN1151474C (en) Safety module with state signal
EP1063619B1 (en) Security module and method for protecting the postal register against manipulation
US7610501B2 (en) Arrangement for the power supply for a security domain of a device
DE19534530A1 (en) Process for securing data and program code of an electronic franking machine
CN1178172C (en) Device of loading price list
CN205539940U (en) Selenium drum of forever regenerating
NO322181B1 (en) Method and apparatus for storing data using a terminal
EP1061479A2 (en) Arrangement and method for generating a security imprint
CN109068290A (en) A kind of rail traffic equipment information collection terminal
CN1236146A (en) Postage printing system having secure reporting of printer errors
JPS6368993A (en) Fee instrument with fee meter enabling reading of memory data

Legal Events

Date Code Title Description
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C06 Publication
PB01 Publication
C14 Grant of patent or utility model
GR01 Patent grant
CX01 Expiry of patent term
CX01 Expiry of patent term

Granted publication date: 20040707